Forensics:For2 Google's CTF Writeup

Posted on May 3, 2016

I just started my journey in information security for a while, my forensic skills is some what non-existent, so I’m pretty excited when I can solve a decent forensic problem in a CTF (that’s why I need to write about it right away).
So, I can solve some Web challenges, a plaintext IRC log extraction, and move myself up in the scoreboard a little. That’s when I tried to see the challenge other people around me were solving. And I think maybe I can solve this (it helps a lot since I thought about giving up several times, also a problem I need to fix myself). This is how a newbie solve the problem.

The challenge is here. It’s a simple pcap file, Wireshark tells us it’s USB protocol, I looked down a bit and saw a “GET DESCRIPTOR” request/response, it said “Logitech Optical Mouse”. It’s must be an USB mouse then.
The rest of the traffic is USB Interrupt, so the mouse is doing something. I used Python with dpkt to read the pcap file and extract the information.

irp is the USB pcap header length plus IRP ID, the USB Interrupt packet has length equals 1b00. The raw data is in this form: “00(or 1) aa bb 00”, I search for USB mouse data and found this. So first 8 bits are the mouse 1-5 button, two next 8 bits are for xx and yy movement, and last 8 bits are mouse wheel.
There’s only 00 and 01 for first 8 bit, 01 is a left click (or whatever). We just need to track the mouse movement, record when there’s a click. X and Y coordinate is straightforward: value higher than 128 mean it’s moving left/down, lower than 128 mean it’s moving right/up. You don’t need to be right about left/down right/up, just make sure you define a rule and flip/rotate the result as needed.